簡易檢索 / 詳目顯示
| 研究生: |
曾明慧 Ming-Wai Tsang |
|---|---|
| 論文名稱: |
針對惡意軟體分類器的隱蔽資料中毒後門攻擊之探討 Analysis of Invisible Data Poisoning Backdoor Attacks against Malware Classifiers |
| 指導教授: |
李漢銘
Hahn-Ming Lee 鄭欣明 Shin-Ming Cheng |
| 口試委員: |
李漢銘
Hahn-Ming Lee 鄭欣明 Shin-Ming Cheng 黃俊穎 Chun-Ying Huang 陳品諭 Pin-Yu Chen 游家牧 Chia-Mu Yu |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
| 論文出版年: | 2021 |
| 畢業學年度: | 109 |
| 語文別: | 中文 |
| 論文頁數: | 54 |
| 中文關鍵詞: | 資料中毒後門攻擊 、惡意軟體分類 、深度學習 |
| 外文關鍵詞: | Data poisoning backdoor attacks, Malware classification, Deep learning |
| 相關次數: | 點閱:219 下載:2 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
基於機器學習技術開發的惡意軟體分類器作為惡意軟體檢測領域的第一階段,其佔據著十分重要的地位,分類器通過靜態分析學習惡意特徵以對已知威脅取得非常高的檢測準確效能,但是這也衍生出了其他的資安問題,神經網路中的後門攻擊便是其中一項強大的攻擊方式。後門攻擊是一種透過修改少量訓練資料,就能令分類器對特定目標造成誤判結果的一種攻擊手法,在惡意軟體檢測領域中,只要將樣本中的少量特徵值修改為特定的後門觸發器,就能達成高效的攻擊成功率。在目前現有的研究文獻中,已有方法是透過機器學習可解釋性技術或梯度生成後門樣本,並通過訓練資料集對分類器進行攻擊,但是目前還沒有研究針對後門攻擊的隱蔽性進行討論。而要設計一個性能優異的分類器,瞭解具有高隱蔽性的攻擊並對此加以防範將會是重點之一。在本文中,我們希望能提出一種對抗惡意軟體分類器的資料中毒後門攻擊,以對惡意軟體檢測領域中的後門攻擊模式進行早期預警,證明該攻擊在此目標領域上可能帶來巨大的威脅,通過與分類器模型完全無關的方式設計此種攻擊方法,並在基於原始字節以及基於特徵的惡意軟體分類器上都取得了優異的攻擊成功率。本研究通過實驗證明生成後門觸發器的方法將會對後門攻擊的效能產生巨大影響,而我們提出的高獨特性觸發器也能夠提升攻擊的成功效果,透過僅修改少量的訓練資料就能達到優異的規避成功率。最後,我們會針對所提出的後門攻擊以群集檢測與主成分分析技術進行驗證,透過此類方法證明我們的後門攻擊具有高隱蔽性,難以被檢測甚至是被移除後門樣本。
The popularity of feature-based malware classifiers using machine learning (ML) on one hand are beneficial to their highly accurate detection rate, but on the other hand, become the target of malicious actions such as adversarial or backdoor attacks. The backdoor attacks can misclassify the decision results by modifying a few training data and maintain the original detection accuracy of the classifiers. It will help the malware with the backdoor trigger to bypass the detection and turn it into a real backdoor malware in the end-point. To accomplish such a powerful attack in the malware detection area only needs to overwhelm the minority of feature values to the crafted trigger in a part of the training samples. In this thesis, we proposed a backdoor attack based on data poisoning against static malware classifiers where the typical backdoor attack and clean label backdoor attack are implemented on binary-based and feature-based malware classifiers, respectively. Instead of building the poisoned samples using ML interpretation or gradient methods, we calculate the unique feature value which tends to malicious space from the training dataset as the backdoor trigger, and utilizes this unique trigger to create our poisoned samples. The unique trigger can be more invisible that hides in the background data and results analysis. Our experiment results show that using the unique feature value as a backdoor trigger is more invisible instead of the existing solutions.
[1] A. Souri and R. Hosseini, “A stateoftheart survey of malware detection approaches using data mining techniques, ”Humancentric Computing and Information Sciences, vol. 8, no.1, pp. 1–22, 2018.
[2] Y. Gao, B. G. Doan, Z. Zhang, S. Ma, J. Zhang, A. Fu, S. Nepal, and H. Kim, “Backdoor attacks and countermeasures on deep learning: a comprehensive review,”arXiv:2007.10760, 2020.
[3] T. Gu, K. Liu, B. DolanGavitt, and S. Garg, “Badnets: Evaluating backdooring attacks on deep neural networks,” IEEE Access, vol. 7, pp. 47230–47244, 2019.
[4] A. Saha, A. Subramanya, and H. Pirsiavash, “Hidden trigger backdoor attacks,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, no. 07,2020, pp. 11957–11965.
[5] A. S. Rakin, Z. He, and D. Fan, “Tbt: Targeted neural network attack with bit trojan,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 13198–13207.
[6] X. Chen, A. Salem, M. Backes, S. Ma, and Y. Zhang, “Badnl: Backdoor attacks against NLP models,”arXiv:2006.01043, 2020.
[7] A. Salem, R. Wen, M. Backes, S. Ma, and Y. Zhang, “Dynamic backdoor attacks against machine learning models,”arXiv:2003.03675, 2020.
[8] Y. Liu, S. Ma, Y. Aafer, W.C. Lee, J. Zhai, W. Wang, and X. Zhang, “Trojaningattack on neural networks,” 2017.[9]E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and C. K. Nicholas, “Malware detection by eating a whole exe,” in Proceedings of Workshops at the Thirty Second AAAI Conference on Artificial Intelligence, 2018.
[10] Tin Kam Ho, “Random decision forests,” in Proceedings of 3rd InternationalConference on Document Analysis and Recognition, vol. 1, 1995, pp. 278–282vol.1.
[11] G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye, and T.Y. Liu, “Lightgbm: A highly efficient gradient boosting decision tree,” Advances in neural information processing systems, vol. 30, pp. 3146–3154, 2017.
[12] H. S. Anderson and P. Roth, “Ember: an open dataset for training static pe malware machine learning models,”arXiv:1804.04637, 2018.
[13] Y. Ye, T. Li, D. Adjeroh, and S. S. Iyengar, “A survey on malware detection using data mining techniques,” ACM Computing Surveys (CSUR), vol. 50, no. 3, pp.1–40, 2017.
[14] A. Kumar, K. Kuppusamy, and G. Aghila, “A learning model to detect maliciousness of portable executable using integrated feature set,” Journal of KingSaud UniversityComputer and Information Sciences, vol. 31, no. 2, pp. 252–265,2019.
[15] Y. Yao, H. Li, H. Zheng, and B. Y. Zhao, “Latent backdoor attacks on deep neural networks,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 2041–2055.
[16] A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,” in Proceedings of International conference on machine learning. PMLR, 2018, pp. 274–283.
[17] B. Wang, Y. Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y. Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” in Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 2019, pp.707–723.
[18] A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, andT. Goldstein, “Poison frogs! targeted cleanlabel poisoning attacks on neural networks,” in Proceedings of the 32nd International Conference on Neural Information Processing Systems, 2018, pp. 6106–6116.
[19] G. Severi, J. Meyer, S. Coull, and A. Oprea, “Explanation-guided backdoor poisoning attacks against malware classifiers,” in Proceedings of 30th USENIX Security Symposium, 2021.
[20] S. M. Lundberg and S.I. Lee, “A unified approach to interpreting model predictions,” in Proceedings of the 31st international conference on neural information processing systems, 2017, pp. 4768–4777.
[21] T. Shapira, D. Berend, I. Rosenberg, Y. Liu, A. Shabtai, and Y. Elovici, “Being single has benefits. instance poisoning to deceive malware classifiers, arXiv:2010.16323, 2020.
[22] L. Demetrio, B. Biggio, G. Lagorio, F. Roli, and A. Armando, “Functionalitypreserving blackbox optimization of adversarial windows malware,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 3469–3478,2021.
[23] B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, “Detecting backdoor attacks on deep neural networks by activation clustering,” in Proceedings of SafeAI AAAI, 2019.
[24] H. Abdi and L. J. Williams, “Principal component analysis,” Wiley interdisciplinary reviews: computational statistics, vol. 2, no. 4, pp. 433–459, 2010.
[25] K. Liu, B. DolanGavitt, and S. Garg, “Finepruning: Defending against backdooring attacks on deep neural networks,” in Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 2018,pp. 273–294.
